[Security Solution][Detections] Add rule overrides for single event EQL rules #78876
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marshallmain
added
Team:SIEM
v8.0.0
v7.10.0
Feature:Detection Rules
|
Pinging @elastic/siem (Team:SIEM) |
marshallmain
added
the
release_note:skip
spong
approved these changes
Sep 30, 2020
There was a problem hiding this comment.
Checked out, tested locally, and performed code review -- LGTM! 👍
Tested Severity override, Risk score override, Rule name override, and Timestamp override and each functioned as expected for non-sequence EQL rules. Appreciate the cleanup in (and added!) tests, and abstraction with eventSource. And ++ to further refactoring with buildRuleWithOverrides in place of buildRule, thanks all the cleanup @marshallmain! 🙂
|
Just a note, in testing sequences, the overrides do function with the child sequence alerts (and as expected, not parents). Curious if we want to just disable overrides when it's a sequence query? @MikePaquette / @paulewing, is there any use in the overrides functioning with sequence alerts? Override config
Resulting Alerts (w/ building block sequence alerts)
|
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
marshallmain
added a commit
to marshallmain/kibana
that referenced
this pull request
Sep 30, 2020
…QL rules (elastic#78876) * Add buildRuleWithOverrides function for single event EQL queries * Disable rule overrides for all sequence signals Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
phillipb
added a commit
to phillipb/kibana
that referenced
this pull request
Sep 30, 2020
…aly-detection-partition-field * 'master' of github.com:elastic/kibana: (37 commits) Fixes for the Ticket 78375 (elastic#79004) [Security] Alert Telemetry for the Security app (elastic#77200) [Search bar] Remove duplicate `popoverProps` (elastic#79025) [Security Solution][Detections] Add rule overrides for single event EQL rules (elastic#78876) [SECURITY_SOLUTION][ENDPOINT] Improve Endpoint Host data generator to also integrate with Ingest (elastic#74305) remove file accidentally checked in (elastic#79005) [ML] DF Analytics creation wizard: replace select input with job type cards with icons (elastic#78872) [Design] A couple fixes for 7.10 (elastic#78801) Fix KQL autocomplete value suggestions (elastic#78676) [Security Solution][Resolver] New mock with cursor (elastic#78863) Embeddables: basic documentation (elastic#78900) [security solution] only import beat_schema when needed (elastic#78708) [Reporting] API Integration tests: fix flaky tests for Spaces CSV formatting (elastic#78849) [Actions] Adds a "Test Connector" button on the Connectors List to make discovery of the Test tab easier (elastic#78746) [Discover] Fix functional time picker test permissions (elastic#78564) [ML] Fixing module datafeed overrides (elastic#78925) Adds some missing licenses to the CSV export (elastic#78719) [dev/cli] ensure plugins/ and all watch source dirs exist (elastic#78973) [Lens] Stop using scripted metric to collect telemetry (elastic#78687) [Lens] fix wrong message in fields accordion (elastic#78924) ...
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds
buildRuleWithOverridesfunction which is essentially equivalent tobuildRule, but implemented as a composition ofbuildRuleWithoutOverrides(which is used for sequences, and might be useful for other "synthetic" signals where overrides from an event don't make sense) andapplyRuleOverrides. These functions take the rule SavedObject or RuleTypeParams as a parameter and extract values from it rather than passing in all the necessary values individually.I'd like to refactor soon and use
buildRuleWithOverridesin place ofbuildRuleso we can pass the SavedObject as a single parameter through the layers of functions instead of a longer list of parameters. It's not refactored here since there are multiple layers throughout different rule types with 15-20+ parameters being passed in so the diff will be relatively large. After the refactor we can removebuildRuleso we don't have to maintain both implementations.Checklist
Delete any items that are not applicable to this PR.
For maintainers